What is claimed is: 

1 LA system for dynamically configuring parameterized validation 

2 rules in a distributed computing environment, comprising: 

3 a plurality of packet validation devices, each situated within the 

4 distributed computing environment at packet routing points and validating packet 

5 traffic using parameterized validation rules; 

6 a plurality of hierarchical tree nodes structured into a plurality of tiered 

7 layers with each tree node interfaced to at least one other tree node, those tree 

8 nodes at a lowermost layer further interfaced to at least one packet validation 

9 device from which validation rule parameters are retrieved and processed; and 

10 a root tree node interfaced to an uppermost layer of tree nodes from which 



1 1 validation rule parameters are retrieved and disseminated to each of the packet 

y 

* 12 validation devices. 



1 2. A system according to Claim 1, further comprising: 

2 a concast path interconnecting the packet validation devices, the tree 



□ 3 nodes, and the root tree node via an interconnection reserved for validation rule 

W 

i.^ 4 parameter exchange. 



1 3. A system according to Claim 1, further comprising: 

2 a dissemination path interconnecting the root tree node with each packet 

3 validation device via a interconnection reserved for validation rule parameter 

4 exchange. 

1 4. A system according to Claim 1, further comprising: 

2 a filter executed by each tree node on retrieved validation rule parameters 

3 to remove at least one of duplicate validation rule parameters and validation rule 

4 parameters sharing commonly identified network address space. 

1 5. A system according to Claim 1 5 wherein the validation rule 

2 parameters each comprise a source network address and subnet mask, a source 
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3 network port, a destination network address and subnet mask, a destination 

4 network port, and one or more network protocol identifiers. 

1 6. A method for dynamically configuring parameterized validation 

2 rules in a distributed computing environment, comprising: 

3 fielding a plurality of packet validation devices, each situated within the 

4 distributed computing environment at packet routing points and validating packet 

5 traffic using parameterized validation rules; 

6 interconnecting a plurality of hierarchical tree nodes structured into a 

7 plurality of tiered layers with each tree node interfaced to at least one other tree 

8 node, those tree nodes at a lowermost layer further interfaced to at least one 

9 packet validation device from which validation rule parameters are retrieved and 

10 processed; and 

1 1 interfacing a root tree node to an uppermost layer of tree nodes from 
rQ 12 which validation rule parameters are retrieved and disseminated to each of the 

13 packet validation devices. 

□ 1 7. A method according to Claim 6, further comprising: 

\2 2 interconnecting a concast path between the packet validation devices, the 

'3 3 tree nodes, and the root tree node via an interconnection reserved for validation 

its?, 
'SST 

! -a 4 rule parameter exchange. 

1 8. A method according to Claim 6, further comprising: 

2 interconnecting a dissemination path between the root tree node and each 

3 packet validation device via a interconnection reserved for validation rule 

4 parameter exchange. 

1 9. A method according to Claim 6, further comprising: 

2 executing a filter by each tree node on retrieved validation rule parameters 

3 to remove at least one of duplicate validation rule parameters and validation rule 

4 parameters sharing commonly identified network address space. 
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10. A method according to Claim 6, wherein the validation rule 
parameters each comprise a source network address and subnet mask, a source 
network port, a destination network address and subnet mask, a destination 
network port, and one or more network protocol identifiers. 

11. A computer-readable storage medium holding code for performing 
the method of Claim 6. 

12. A system for communicating coalesced rule parameters in a 
distributed computing environment, comprising: 

a plurality of packet validation devices communicatively interposed 
between network routing points within the distributed computing environment 
and applying parameterized rules to transiting network packet traffic; 

a plurality of processing tree nodes configured into a concast tree, 
comprising: 

in a lowermost layer of the concast tree, each processing tree node 
collecting and coalescing rule parameters from at least one packet validation 
device; and 

in each successive layer of the concast tree, each processing tree 
node collecting and coalescing the rule parameters from at least one processing 
tree node in a next lower layer of the concast tree; 

a control center assembling the coalesced rule parameters from each 
packet validation device in an uppermost layer of the concast tree; and 

a dissemination path forwarding the coalesced rule parameters from the 
control center to each packet validation device. 

13. A system according to Claim 12, wherein each processing tree 
node further comprises: 

a parameter filter removing duplicate rule parameters and consolidating 
commonly identified network address space. 
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14. A system according to Claim 12, wherein each packet validation 
device further comprises: 

a rule filter limiting application of the coalesced rule parameters to those 
network routing points within a pre-determined vicinity. 

15. A system according to Claim 12, wherein the dissemination path 
further comprises: 

the distributed computing environment through which the coalesced rule 
parameters are broadcast to each packet validation device. 

16. A system according to Claim 12, wherein the dissemination path 
further comprises: 

the concast tree through which the coalesced rule parameters are sent to 
each packet validation device via the processing tree nodes. 

17. A system according to Claim 12, wherein the concast tree further 
comprises: 

an in-band communication channel logically defined via bandwidth 
reserved within the distributed computing environment. 

18. A system according to Claim 12, wherein the concast tree further 
comprises: 

an out-of-band communication channel interfacing the packet validation 
devices, the processing tree nodes, and the control center via interconnections 
peripheral to the distributed computing environment. 

19. A system according to Claim 12, wherein the rule parameters each 
comprise: 

source packet information describing a source network address and subnet 

mask; 

source port information describing a source network port; 
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destination packet information describing a destination network address 
and subnet mask; 

destination port information describing a destination network port; and 
network protocol information identifying one or more network protocols. 

20. A system according to Claim 12, wherein the distributed 
computing environment comprises an internet-protocol (IP)-based network. 

21. A method for communicating coalesced rule parameters in a 
distributed computing environment, comprising: 

applying parameterized rules to network packet traffic transiting a 
plurality of packet validation devices communicatively interposed between 
network routing points within the distributed computing environment; 

configuring a plurality of processing tree nodes into a concast tree, 
comprising: 

collecting and coalescing rule parameters from at least one packet 
validation device into a processing tree node in a lowermost layer of the concast 
tree; and 

collecting and coalescing the rule parameters from at least one 
processing tree node in a next lower layer of the concast tree in each successive 
layer of the concast tree; 

assembling the coalesced rule parameters from each packet validation 
device in an uppermost layer of the concast tree into a control center and 
forwarding the assembled coalesced rule parameters to each packet validation 
device. 

22. A method according to Claim 21, further comprising: 
removing duplicate rule parameters and consolidating commonly 

identified network address space. 

23. A method according to Claim 21, further comprising 
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limiting application of the coalesced rule parameters to those network 
routing points within a pre-determined vicinity. 

24. A method according to Claim 21, further comprising: 
broadcasting the assembled coalesced rule parameters through the 

distributed computing environment to each packet validation device. 

25 . A method according to Claim 2 1 , further comprising: 

sending the assembled coalesced rule parameters to each packet validation 
device through the concast tree via the processing tree nodes. 

26. A method according to Claim 21, further comprising: 
logically defining an in-band communication channel by reserving 

bandwidth within the distributed computing environment. 

27. A method according to Claim 21, wherein the concast tree further 
comprises: 

interfacing the packet validation devices, the processing tree nodes, and 
the control center via an out-of-band communication channel using 
interconnections peripheral to the distributed computing environment. 

28. A method according to Claim 21, wherein the rule parameters each 
comprise: 

source packet information describing a source network address and subnet 

mask; 

source port information describing a source network port; 
destination packet information describing a destination network address 
and subnet mask; 

destination port information describing a destination network port; and 
network protocol information identifying one or more network protocols. 

29. A method according to Claim 21, wherein the distributed 
computing environment comprises an internet-protocol (IP)-based network. 
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30. A computer-readable storage medium holding code for performing 
the method of Claim 21. 
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